#!/usr/bin/env python3 from Crypto.Util.number import isPrime, getPrime, long_to_bytes, bytes_to_long from Crypto.Random.random import getrandbits, randint from Crypto.Hash import SHA512 LOOP_LIMIT = 2000 def hash(val, bits=1024): output = 0 for i in range((bits//512) + 1): h = SHA512.new() h.update(long_to_bytes(val) + long_to_bytes(i)) output = int(h.hexdigest(), 16) << (512 * i) ^ output return output def gen_snore_group(N=512): q = getPrime(N) for _ in range(LOOP_LIMIT): X = getrandbits(2*N) p = X - X % (2 * q) + 1 if isPrime(p): break else: raise Exception("Failed to generate group") r = (p - 1) // q for _ in range(LOOP_LIMIT): h = randint(2, p - 1) if pow(h, r, p) != 1: break else: raise Exception("Failed to generate group") g = pow(h, r, p) return (p, q, g) def snore_gen(p, q, g, N=512): x = randint(1, q - 1) y = pow(g, -x, p) return (x, y) def snore_sign(p, q, g, x, m): k = randint(1, q - 1) r = pow(g, k, p) e = hash((r + m) % p) % q s = (k + x * e) % q return (s, e) def snore_verify(p, q, g, y, m, s, e): if not (0 < s < q): return False rv = (pow(g, s, p) * pow(y, e, p)) % p ev = hash((rv + m) % p) % q return ev == e def main(): p, q, g = gen_snore_group() print(f"p = {p}") print(f"q = {q}") print(f"g = {g}") queries = [] for _ in range(10): x, y = snore_gen(p, q, g) print(f"y = {y}") print('you get one query to the oracle') m = int(input("m = ")) queries.append(m) s, e = snore_sign(p, q, g, x, m) print(f"s = {s}") print(f"e = {e}") print('can you forge a signature?') m = int(input("m = ")) s = int(input("s = ")) # you can't change e >:) if m in queries: print('nope') return if not snore_verify(p, q, g, y, m, s, e): print('invalid signature!') return queries.append(m) print('correct signature!') print('you win!') print(open('flag.txt').read()) if __name__ == "__main__": main()